cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1662
Views
0
Helpful
2
Replies

ACS - configure shell commands authorization to work under config mode (conf t)

laviel
Cisco Employee
Cisco Employee

Hi everyone,

I'm trying to configure a shell commnds set such that all commands (including under conf t mode) will be allowed, except for administrative commands, such as write, copy, admin, format etc.

It's been working for (most) priviliged mode commands (such as write and copy) but has been unsuccessful for any command under conf t mode. It's important in order to prevent the users from performing 'do write' and 'do copy run start' commands, for example.

Here's the input of the shell command authorization set (Partial_access):

Unmatched Commands: permit

Command list:

admin

copy

delete

do

format

write

Group settings (relevent):

V - Shell (exec)

V Privilege level - 15

Shell Command Authorization Set

Assign a Shell Command Authorization Set for any network device - Partial_access (group's name)

I'm using CiscoSecure ACS version 4.2 (0)

Thanks,

Lior

1 Accepted Solution

Accepted Solutions

hkhrais
Level 1
Level 1

Hi Lior ,

Please make sure that you typed under the AAA client the following commands:-

AAA authorization config-commands

Please post your AAA client configuration via " sh run | i aaa " and if possible your privilege configuration

HTH

View solution in original post

2 Replies 2

hkhrais
Level 1
Level 1

Hi Lior ,

Please make sure that you typed under the AAA client the following commands:-

AAA authorization config-commands

Please post your AAA client configuration via " sh run | i aaa " and if possible your privilege configuration

HTH

Hi Hussam,

Thanks a lot! That solved the problem

Lior